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•SYST^^ METHOD OF ADDRESSING EMAIL AISi>^ EIJSCTJ^ONIC 

COMMUNICATION FRAUD 

' jpiELfi OFTHE IN^EN^ . • 

. • The - pTegent . inve relates, to email fraud detection and. preyenlioiij, more ; 
: specificaUy td.ititeifCTnig with and/or trackmg catain frauduieat attacks; fuilihemio^^^ the. 
preseat invention relates to testing data gathering systems. 

BACKgAoU^ THE INVENTION 

The fapid increase in the number of users of electr0nic mail and the low. cost of. 
. distnbiiting electronic, messages via the Internet and other electronic cbidmunicatioiis . 
'. .iiet^odcs has ihade marketing and commumcatidhs with existing customers via ermail an 
: attractive, advedisiag me^ Consequently^ in addition to communic that are ; 
. waiiranted by 'consumers, , e-mail, is now frequently tised. as &e.mei3itm for 
:coirmiumcatidh.and marketing broaidcasts 6f messages to e-m^. adcfr^ comihorJy . 

khoym as VSpam" .'Tliishingi'', which may include e-mail /identity 
^:impersoniatiori are the newest forms of harmfrd Spam attacks timt threaten the integrity of 
: companies doirig business cfnline. Fraudulent !PMshing email 'messages may be 

considCTed td . be^ . for . exadiple, messages . that ^pear to .be sent, fip^ a legitunate.. 
• donipany's website or donamn address, but in fact, are niot In reality, spaiiriTners br .dther 

parties are. hijacking the company's brand fo attract .the atlehfidn of cuslor^^ often to 
:;gaid personal information. . : ■ •'; • * • ; : ^ i v : ' 

' ' . Lately, .financial, iostitutions as well as other companies that Have a trusted 
, relationship witii. their cusitomers have been att^fcked by Phishing. For sakje of. 

example, and mthout liniiting the generality of the phehomena, if a bank is attacked by 
. Phislung, individuals may receive an e-mail which is allegedly sent by the batik, and are 

pj^csuaded into supplying private or valuable identifying personal data online under.. 

several pretences — for example, witUoxit Imaitatiori, - so that fhe is^iik c£bi re them 
rto anews'ervice, ortoprctect.agaiiistimauQibiizedd^ . 

..•1. 
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i ... 

The dsms^ge to the bank, or any otber company whose identity; if. feked is 
significant PMshing can injure yalnable corporate brand equity, ruin/customer tr^ 
. incirease operational costs tbroiigb growiiig customer coiriplaints/.and present additional^ 
>nsks and^^^p^ Tke bank or other attached company may has to publish a general 

: warning to its ciistorners, and sometimes even cancel or block pe6j)le's accoutits. . . 

jhiahing may involve^ but is not limited to, for example: (1) ITie oiiginators of 
'Thishing'' e-mails attempt to make the e-mail distributed seem to ..be coming from a 
,leg[tiinate source. In order to. achieve that goal, the Phishing e-niail may be disguised as a 

. legitiinate e-matl, aiid includes elements and chaa:acteristics of a legitimate organization, 
such as (without limitationj logo, domiain names, brands and colors; (2) In. order for the 

;Pliishing to be advantageous for its origfaiators, the originators of |Thi^ung" need to 
soiiiehow div^ informLalion that the trusting consumers submit. in. response to.tiie 

[ seemingly.legitimate e-mail. Such inforniation might be diverted via for example a link to , 
k separate web-page that requires the individual to input valuable private iirforrDjation, dt . 
Via. telephone, if the. p-niail . directs the recipieiit to .call k certain telepiione numbCT 
(following which £he recipients valuable information inight be collected over the phpne). 

. Stich illegitimate links or contact telephone numbers may be referred to as '^illegitimate 
contact poiiiters". ..; • ' * . _ , ! T . '-. y^ 

■ ' The impUcatiohs of the above characteristics of Phishing are that any Phishing e- 
•mails lypicaliy ipiclude .a xnixture of both legitiinate and illegitimate contact pointers 

(such, as links to x)iihi^;.web pages or^telephone numbers). Legitimate cbiitect pointers 
. "^oiild pbint to web pages or telephone numbers that belong to legitim^e e-mail senddrs. 

iUegitimate cdntact poiliters would point to web pages or telephone numbers that belong 
/to the parties cdrnmifdiig fraud. 

SiDKDilARYOF^ 

In one embodiment, a s}^em and method may respond to a firaudulCTt attack, such as 
a Phishing attack. The system and method may send a number of tespoiises to party 
committing firaud, the responses designed to mimic the responses to a Phishing attack. 
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. The responses may include codes or marked information designed to entrap or detect .fh6 . 
•party com^ .. • 

:. Embodiments of the present invention relate to a method and system for reducing 
'negative consequj^ces associated with the submitting of valuable and confidential 
mfdrmatioiL by individuals to fraudulent impostors^ as . well as for increasing the. 
likelihood.that fraudulmt impostors be captured. 

/ Embody current invdotioia include, a system ahd metiibd for minimising 

liie inipact of Phishing scams as well as facilitating the detection of the originators of the, 
•attack. , 

BRIEF DESCKlPTION OF TBDE DRAWINGS 

. . Embodiments of the invention are illustrated by way of example and not limitation in . 
the figures of the. accoinpanying drawings, in which like reference numierals indicate . 
; cbiri^onding, analogous or sitnilaf elements, and m which: . ' 

Fig. 1 depicts a. sj/^tem according to one enibodiment of the.icLventian; and 
: 'Pig. 2 illustrates a multiple-access-poiot comput^. network which may be used .with 
: im enibodiinent of the present 
• It will;be appreciated that for simplicity 'and clarity of illustration, elements shown in 
the.figutes have not necessarily been draWn to scale. For exainjple, the diriiensions of 
. some of the elements may be exaggerated relatiye to other eleniehts for clarity. : 

DETAILED DEjSCdEUPTIQN OF THE BNfVENTION 

^ In the following description, various aspects of the present inyenlion will be 
described. For puipdses of explanation, specific configurations and details are set forth 

I;in order to provide a thorou:gh understanding of flie present invention. However, it will 
also be apparent to one skilled in the art that the present invention nmy be practiced 
without the specific details presented herein. Furthermore, well-known feature may be 

. omitted or sintplified in order not to obscure the present invention. Various examples are 
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^giv6n ffaroughout this desdription. These are merely descriptioiis of specific embodiments 
of the invention, but the scope of the invention is not limited to the examples given. . . 
. :The goal of a useful anti-PhLshing and/or antt-fimid service may include, for example, 
a!dy or all of ihe following: . . 

1 . ; [Dfetectiori of p otential PMshirig scams 

2. . CoiiSguralion options to allow the definition of Phishiiig detectLon parameters; . 
.3 . Alertmg against a detected scaxo; 

4. Option for the targeted institution (e.g., bank, financial insiittrtion,, etc.) to request: 

a. Blocking of the Phishmg e-mail . before it. reaches . tiie recipients', 
.mailboxes; . 

b. Alert to consumers' (e.g., accomtholders, cardholders^ 

c. Alfert to law enforcement or regulatory authpiities; and/ot \\\ . ; 

.*i Approyil of the mail as _ an. ofiicial e-™*^. institutipn : (non- 

; 

■ 5. Tools, for .ininnnizing the impact of the Phishing scam, as well as, tools . that 
... -facilitate detecting the Phishing originators, 

: According to one embodiment of the present invention, the detectioh^^ 
scains. can.be done . lising 'existing aiiti e-mail-spam methods which catti issue alerts., 
whenever ihey detect an eS-mail, which contains at least X (e.g., a smtaWe nu^^ where 
:= pne may be a Stable number) legitimate contact pointCTs. such, as doihains, ttademarks, 
VseiMce names, phone . nimibers, etc., by a centralized service, such as . a ."Service 
^Provider," along with illegitimate pointers. ' . ' * T 

; One such anti e-mail-spam method is called /libney pots". or ^decoys". An ahti e-.. 
inail-spkn company .that works with this .method may set txp fitiinerous ,e-m% accoimts 
that do not belong to real.people or entities, and lists tlieifi in public e-niail.giddes. If.an. 
e-mail gets to these addresses it can be either the result of a spam oi m honest mist^e..If . 
the e-inail reaches several addresses the chances of an honest mistake are sliml.. Other, 
methods may include for example content filtering or snd^ 

: Once a potential Phishing scam or o&er tmwanted data communication is identified 
soine pre-processing may be performed to make suire it is indibed a suspicious e-mail or 
communication. 
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, . :Varioiis devices and architectures, and sets of devices iiiay fomi. a system according 
to various embodiments of the present invention, and my effect, a method iaccording to 
^bodiments of the present invention. Methods according to various embodiments of the 
present invention may, for examj)le, be executed by one or more processors or cpmputing 
systems (inchiding, for exan^le, memories, processors, software, databases, etc.), which, 
for example, may be distributed across various sites or computing platforms; alternatively 
soiiie methods according to embodiments may be executed by single proc^sors or 
computing systems. The following illustration outlines a solution architecture according 
to . one. embodiment of the present invention; other suitable architectures are possible in 
accordance with other embodiments of the invention. 

; ; ;Fig. 1 depicts a system according to one embodiment of the invention. A network 10 
such as the. Ihtemet, the Internet in combination with other, networks, or some other 
..network coinbination of networics connects a set of entities. A central seryear 20 ^may . 
provide sendees such as monitoring Phishing or other e-mail oriented £:aud, and may try 
to counteract, interfere track such fraud, or atterc5>t to.track down the identity of 

-iihe prapefratqrs. A set (Where set can include one element) of histitiitiqns 30, sixch as 
baffles, finaocial . institutions, or other institutions, which may be targets of Phishing. or. 
other fraud, may reqiiest services from the central s^er 20. . One or napre parties, 
conimitting fraud (which may be known as for example **fraudsters") .40 nmy atteitnpt to 
commit fraud via email, for example via 'TPhishing", by sending fraudulent eraails to a set 
. of uisers 50, for example requesting the lasers to contact an insititittion 30 using a contact 
. poiQt or address (e.g., an binail address, an Ihtemet address, etc.) or pjhone number lhat is 
. Actually directed to the party 40 or an associate. The contact point or address may be 
•made to appear as it if belongs to a legitimate institution 30. The central server 20 may 
attempt to send fake or other information to Ihe contact point or other address to intepjere 
^^th or stop fraudulent activities, hi one embodiment server 20 monitdrs for Phishing 
: attacks; in oth^ embodiments other entities such as i£istitutions. rnay infoim^ server 20 
regarding Phishing attacks. ^ • 

The contact point may be an e-<mail address. Thus the data in a response may be sent 
•to the party committing fraud via email, possibly directiy (e.g. by the party requesting the 
i details to be sent via the '"Reply To'! email option, or by a JavaScript client side code that 
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does so automatically;, etc.) or indirectly to the party (e.g., the party may ircplement a 

- .^eb-1»-i^^ interfece, wherein the user data is eveatually sent to an email address feom 
where it is later ccillected by the party). 

• ; Central server 20 may include one or more database(s) 22, a controller or processor 
:24, and software 26, Which may include for example, an identity generator 28, or other 
suitable modules. Cofiitroller.or processor 24 may execute instructioi^s in software ^6 to 
perfom yarious^..f^ such as those described herein. The fbnctionaiity of central 
' s^er 20 may be inipleinenfed in other manners, such as being distributed among other 

. /sites, being included in. one or more institutions, etc. For example, ia one embodiment a 
. bank may include the. fraud blocking or tracking capabilities as described herein. The 
central server 20 may have as customers institutions 30 that wish, to stop and/or entrap 
/jfraud comrnitting parties, but such a customer-chent relationship is ndt needed; for 
; exatnple ceritral server 20 may be a government or non-profit entity, part of a consortium 

: of interested parties, ttr part of an institution 30. 
. : ; The central, served .2Q may detect fraudulent activity (e.g., Phishing); alternatively Ihe 
c^tral server 20 may act after being reqtiested by an other party which has detected ; / 
. fraudulmt activity, liie central server 20 may for example, provide multiple responses to 
. a :cqntact point created by a party 40. The central server may respond, multiple times to 

VtriiTnic a group of users responding to the fraud (each response niay include different ? : 

• data), and the responses may be timed, paced, and/or numbered to mimic the natural 

• response of a large group of people, j^or example, responses may start with a flurry arid 
■' then gradually slow down, and each response may be sent at a somewhat random time 

Ayithin an overall desired pattern. The total number of responses may be in proportion to 
':;SL size of tiie attack in response to which the responses are sent. For example, the number 
:*6f respohses canbe X% (e.g., 0.1%, 1%, 5%, 10%, etc.) of the number of emails or other 

<k)mknunications that constituted the Phishing or other attack, possibly based on known 

response rates. Each response naay be for escaxz^le the central server filling in or sending 
; . details to a web site or web form, possibly at the contact point. Furthermore, within each 
. .response, data may be entered at a speed an pace to mimic a human entering infonmation 

iising a keyboard and pointing device (e.g., mouse). A respofise may include a set of = 
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::idetails such as aset of Multiple sets df false p^gonal • 

• -.infoimktiou can be created and for example stored in a datafease 22., • ; 

: Atbording to one embodmient of fhe current invention the, cent^ ^erver.may.i) 
;;tiasks.sucli as, for example: Dilutioiu For example, a Phkhiig *s^eba^^^ at a' cdntact 
point defined by a party 40) maintained by a party 40 which tries to coUect data fi^ the 
- central server (or "Service Provider") customers (e.g., institutions 30) is filled with fake 
ir^ords of peoplfe, thds diluting the quality of data that the .parties cpmimtting fraud 
obtain; (2) Mark & Block: For example, using responses with loaiked data, the Phishing 

• Website which tries , to collect data from institution 30 is filled, with fake records of 
:p^ple, When the CCTLtral sesrver 20 detects that those."faace p^ 

central server 20 real . website/Service or an institution 30 Website, it may _be possible to 
; identify the source of that attempt (using the phony records) tod to block any fiirther" ; 
attempts, from. that ^anie source (e.g. IP,, location etc), this way, when the.;^arty. 
committing fraud (e.g., "fraudster") attempts to access centrai server 20 or ihstitutidn 30 
' ^^rvice using real valiiable. stplen data (and not the .feke one^ sent to it) such usage \?i^.b.e 
bj^cked, includ^ (3) Maik and Capture:! For, exam^^^^^ 

website wHch^^^^ to collect data from tlie Seiyice Providear's cti^omers;; is 
fake records,, of via responses with marked, .data. Whm the; Service Provide 

; d^ecte that these "fiike people" attempt to enter the Service Pro^dder's real website, the/ 
. Service !h:6vider can attempt to locate the party coimnitting fraud. A central Sjayer 20 or 
\:^iiistituti^ 30 can monitor, for exjaniple, an institution or central server Website, for the 
■;;-use of marked;data..in an attem^ 

;>Ajccbrding to one embodiment of the current invention duimny respoiases may be sent , 
. to the fraudulent site (e.g., maintained by a party 40) by, for example, the celntoai server 
20 as if the responses were coming from real users who were defrauded by the sbkm. The 
. fraudulent site is fed with i^seless records, and hence the quality of data that is obtained is 
• diluted. According to 5ne embodiment the amount of responses Can be configurable so 
^tat it would be consistent with the estimated attack size (importantly the estimafed 
number of users who may actually give away their personal :infomatioj^^ 
determioed by using statistical assessment). . • 
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: Aca^^ in order to avoid , suspicion oi bdhialf of tiie. party 

committing fraud 40, the central server 20 may simulate a real litmian user feeding idata at 
kn apptopriately slow, human typing pace, seemingly fix)m iniiltiple H* addr^ses with 
. intery^ between da^ 
• .. Data in a iieq>oii^e may include or be marked with for example data ot. codes 
identifiable, to a central server 20 or institution 30; . so that for. example ..its , iise can be . 
-tracked. Furfhermtpre, data may be marked with cryptographicallY encoded portions.. 
Details may be .maiked in a manner making it (for example by using a cryptographicaUy 
} strong adgoritibn^^ infeaisible to spot or detect, except for those ^ho have a cryptographic 
-key A\ath.wMch the. ii^ can be deciphered and/or extracted from the data. 
/. . 'Ail embodiment of the system and method may be designed fo reduce the quality of 
the data obtained by the party committing fraud during a Phishing attack, and thus. 
, niitigate the attack's negative consequences. By diluting the data obtained by the party 
coinmittmg fraud, the stolen data obtained, by the^ "fraudster" becomes, less valuable, 
hOTce.ieducmg t^^ to attack service providers who .tttUize the prbpM 

^mdinefliod. - 

: - According tio one embodinient a limited amount of diiinmy responses are subinitted to 

: the fraudulent site wher^ the responses are marked, sUch that the.responses can be tracked. 

:::aat a .later stage. , This may be done in combination tsdth sending un-marked resporises. 
-This way the use of the. credentials provided as part of these responses can be monitored, 
/^/heaieyer tibie system ideiitifies an attmcipt to use such ^'inarked crede^^ it is pbssible 

•fkQCordirig to one embodiment to block the access to the. Sec^ location 
;(typicaUy an IP address where '^bait information" was atterripted to be. used from), and 
therefore prevent attempts to use real, credentials from such location. According to a 

• differjent embodunent of the current invention parties committing fraud might bie located 
based oh the .marked, responses. In many cases these "'fraudsters" obtain iiiformation 
during a Phishing attack, but do not attempt to use the data for several ihonths. Madcmg 
the dummy credentials submitted to the fraudster according to the above embodiment 
iaiy allow a server or oth^ party to follow the credentials for a long period of tune. In 
addition, in other embodiments having other uses, dummy, randomized or xoanufactured. 
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;^ responses, mth^fandomized or fake data, may be submitted to other sites ..or contact 

/points, such as systemsbdng tested or debugged, or for the puxpose of training. . 
According to one enibodmient of the current invention, a multiple-access-point 

, computer network may be used to simulate responses from viarious poiate of presence via 
different network connections, such as for example Internet connections.. Parties 
coinmitting fraud therefore are not able to simply "^ignore" all inforniatioia coming from a 

;sin^e point of presence, and cannot detect that in fact feke credentials are fed. 

: Following a Phishing attack, according to one embodiment of . the current invention 
:the,systefn may in responding and sending false data use a multipler-access-point 
computer network which uses several levels of design, which helps to ensure that duixmiy 
responses are undetectable. Responding may be conducted using multiple Inteinet access 
points, multiple intermediate networks, and/or. midtiple intennediate Inteniet service 
.jJrpviders. Ihtemet accounts used to generate liie dummy responses may use dynamic 

*; network IP addresses, or use proxy servers and icnitate behavior or users that pass via 
proxy when relevant using both dialup and broadband cdnnection in order to ftikher • 

: disguise the counter-nieasure. The dialup connections may alternate between different 
telephone exchanges in order to prevent sophisticated parties conmiitting fraud from 
iiacldng the physical location of the source IP addresses. 

. Fig. 2 illustrates a miiltiple-access-point computer nehvbrk . which may be used with 
: an ercibodiment of the present invention. Users, computers, or other access points 60 may 
contact a party 40 which intends to. commit fraud via multiple ISPs or other service 
providers 100 and 102, possibly being geographically distributed, possibly via network 
lO .CFig. 1). Altemately, central server 20 may contact party 40 via multiple ISPs or other 
'■: Service providers 100 and 102. 

According to one embodiment of the inveation the central server 20 may Use. a 
scheduler or other system which may regulate the •^response sending rate" in order to 
€iisure that the dummy responcses are monitored, and may tlius simulate real responses. 
The scheduler may be important where large amounts of dummy responses are fed to the 
spoofed site in order to de-value the obtained information. As with other modules, the 
scheduler can be implQmented in the software 26. . 
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-According to another, embpdimeiit of the inventioii responses may ^® designed to. 
fesemble Human behavior and appear to be sent from actual recipients, of the firaudnlent Cr. 
iiiail. . This can l)e done for exaniple without liniitation by using Robot-like, software, 
- possibly i^ 

. ; E^h response liay include details which are intemaily coii^istent wifimi ihe . • . 
' : respoiise... For example, accordiag to 6ne embodinoLent iif the inveiition the system and : 
Ornethod includes an '^dCTitity gdcferator'', whichproduces phony details ji^^^ appe^ to be 
. legitimate (e.g., adhering to the rules of different data elements, such as user names and 
, : passwords, onlinp Vanldng credentials, credit card, details, checks etc.). The identity * : * 
; / generator maybe configm^ details aid rules. ' / ; / 

: - Ti^® id^'^tity geherator.may create dummy or fake ideiitities usinjg a lairgb database ■ 
;(e-g., p^.of databiase 22) of names, local addresses, e-inail domair^, and niqf e. Such 

The dummy identity may bie.coi^ ... V 
/ (x^jisisteht, i^^ different pieces of information do not contradict each othesTi and also 
in^ match the external conditidns (such as for exanoqple Ihtemet cbniiection)i . Titus in . 
•::;p^e ^pihpdiaieii^^^ within a req3oiise mcludes a set of deta^ 

Aphoneniim '"• 
i of :the details .may match the address as well as' the telephbnd exchange tised for a diai-iip 
6pnne6tion used to trailnsinit the response. M additidn flie e-mail aidres^ may niatch ihe 
slSP used and so on. Other sets of details may be used:. In the case of online credentiai [ ': 
^- fraud, the central server 20 may randomly generate usenmtnes andp^^ that matcji. 

We c^ompmy's rules as well as an e-raail. address wMch appeals td .inatch ]Qie iisexnjanie ' \ 
•/etc. • :V' / .* V; ^ ' ' ' . : ::' '"- ^r v^^:.;: 

\ : A.cpording to.one enibodiment of the invention a systemthat responds fo Phishing ' 
. attacks by genetating random credentials and feeding them into web-forms, coiiid seive . ' 
additional purposes such as testing services, debugging services as weU as for the sake.of • * 
demdn]strating various scenarios. Li such an embodiment, a Website or oth^ faoiitafct . ' 
point to be demonstrated, tested, etc. can be contacted multiple times to, for example, 
. enter data, JQU in a web-fotm, etc. with a set of data. Each set of data cdninciu^, for 
example, a set of details, the set of details mcluding a set of fabe periioiial iD&imation. 
The contacts or filling of data on for example the web-fonn can inclu^^ 
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• iafotpiation at sl speed designed to mimic a human entering data. The timing of the 
/ . contacting can be set t^^ Eachcontector 

ifesponseniayinch^ . ' . 

; (Foi: sirch a method, or any of the methods described herein, a database may be 
seated, includirtg a set of false or manufactured data which may be for example 
organized Mo idenfi^ie^^ each felse identity mcluding a set of datawhich is consistent 

- within the set. For eiainple such a database may be stored in databasfc(s).22.. ; 

'y. Credentials geheraied and used as part of the service may be created u^ing a 

• cryptogr^hic key, such that the marking of the credentials could not .be detected without 
: .t^e key. Real data niay be used, so that the party conmaitting firaud will actually perform 

trtie. transactions, mdcoii^ . 

: in other embodiments, a system and method that creates and/or transmits • • 
^Manufactured data, as described herein, may have othCT iises, for example, tramin& 
: testiig, developing, deibdonstrating, etc. For example, responses or other sets of . 

• =pn^i^^ personal data maybe sent to one or more contact points, wherein, 
f fkB^dzta. is used to train people, such as customer support representatives, sales 
;;rc$!resj^^ etc., interactiiig with the system. Both the systein or server generating - 
\ '^e data and th% system receiving the data may be within the same^bigamzation or ithe 
AsaSie ^ysteih. An aiitpmated or s^ni-autbmated systCTl for dealing with large numbex^ bf 
-. people cm be designed, , de^ ; 
"Responses or. s^ts of false or manufactured data may be . sent to demonstrate, debug, test 
jor develop a system, which may deal with sensitive personal information, so that real data 
is not .revealed to the viewers. 

: , A system ahd method that creates and/or transmits feke or .manufactured ^^^^ as 
described herein, may for example be used against software such as I'Trojan horses", or 
other software, where, for instance, malicious software installs itself on a user's sj^em 
^;(e.g., a.woikstatioii, a personal computer, etc.) in stealth mode. The piece of software 
may listen to incoining and outgoing communications of the client's system via for 
escample the Ihtemel; and may monitor browser events and user iopute (e.g. keyboard. 

• logging). When such a piece of software intercepts a login activiiy in which the user logs 
in to a designated web site or system (or to any site), the login credentials may be 

.11. : 
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: -collected through the keyboard logging fecility and covertly, tt^saiiitted to a site in 

• control of the party committing fraud. Such transmission can occur over a multipKcity of 
protocols, such as e-mail (e.g., SMTP), the Internet (e.g., irrti>/HTTPS), FTP, and 
oilers. , ih.one embodiment of.the invention a system and. xnethod mij^. generate and/or 
transfnil^ for. ekanipile in a., set of responses or trausifiissions inchidin^ .feke data, 
.mirniddng the.bdhavior of •TTrojan horses", or other maKcious softwari ih^ inay be 

• desired to be instaUed on a.user's systems. As described heitrfn, such responses may be 
■ ■•sent at a pace thaf mimics k set of responses from a set of geogr^hically dispersed users, 

• using different computer aiid communications systems, and may include, fake data as 
..described hei]ein. In such eiiibodiment, the dilution or responses may. work directly. 

against the party* s contact point, using the protocol chpsen .by the party, anii imitating .the 
vbehavior the software woidd assume. . . • " V 

. WiaiG certain features of the invention.have been illustrated and described herein, 
rmany modifications, substitutions, changes, and equivalents Will now.occur to those of 

ordinary skill m the art It is, therefore, to be understood that the ^'eiided.dlaims are 
. iitfffliided to cover aU suchnibdifications and chaiiges as fell wiOiin the spirit of Ihe. ' 
•'invehtioh. 
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